mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Clarified session verification with respect to the current session.
This commit is contained in:
parent
6b83f61e72
commit
4c2a6fe75b
@ -810,6 +810,8 @@ user to the login page or issue an HTTP 403 Forbidden response.
|
||||
redirects the user to the ``login_url``, optionally including the
|
||||
``redirect_field_name`` if it is set.
|
||||
|
||||
.. currentmodule:: django.contrib.auth
|
||||
|
||||
.. _session-invalidation-on-password-change:
|
||||
|
||||
Session invalidation on password change
|
||||
@ -829,16 +831,20 @@ If your :setting:`AUTH_USER_MODEL` inherits from
|
||||
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`
|
||||
method, authenticated sessions will include the hash returned by this function.
|
||||
In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an
|
||||
HMAC of the password field. Django verifies that the hash sent along with each
|
||||
request matches the one that's computed server-side. This allows a user to log
|
||||
out all of their sessions by changing their password.
|
||||
HMAC of the password field. Django verifies that the hash in the session for
|
||||
each request matches the one that's computed during the request. This allows a
|
||||
user to log out all of their sessions by changing their password.
|
||||
|
||||
The default password change views included with Django,
|
||||
:class:`django.contrib.auth.views.PasswordChangeView` and the
|
||||
:class:`~django.contrib.auth.views.PasswordChangeView` and the
|
||||
``user_change_password`` view in the :mod:`django.contrib.auth` admin, update
|
||||
the session with the new password hash so that a user changing their own
|
||||
password won't log themselves out. If you have a custom password change view
|
||||
and wish to have similar behavior, use this function:
|
||||
and wish to have similar behavior, use the :func:`update_session_auth_hash`
|
||||
function. In this case, however, if a user also wants to invalidate the session
|
||||
from which they're changing their password (for example, if they believe the
|
||||
session cookie on their machine was stolen), then they also need to log out
|
||||
that session.
|
||||
|
||||
.. function:: update_session_auth_hash(request, user)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user